From 8a948caf2b88f6249a6b94c09e13ee46cf2e0964 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Aug 07 2008 14:17:50 +0000 Subject: trunk: 11 more cherry picks from fedora policy, by david hardeman. --- diff --git a/Changelog b/Changelog index 23fab1a..3cd8425 100644 --- a/Changelog +++ b/Changelog @@ -3,7 +3,7 @@ Carter. - Database labeled networking update from KaiGai Kohei. - Several misc changes from the Fedora policy, cherry picked by David - Hrdeman. + Hardeman. - Large whitespace fix from Dominick Grift. - Pam_mount fix for local login from Stefan Schulze Frielinghaus. - Issuing commands to upstart is over a datagram socket, not the initctl diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc index 74ebff5..3006bff 100644 --- a/policy/modules/admin/amanda.fc +++ b/policy/modules/admin/amanda.fc @@ -3,6 +3,7 @@ /etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) /etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0) /etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0) +/etc/amanda/.*/index(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) /root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0) diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index fc0672b..5d6087d 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -1,5 +1,5 @@ -policy_module(amanda, 1.9.0) +policy_module(amanda, 1.9.1) ####################################### # @@ -82,8 +82,9 @@ allow amanda_t amanda_amandates_t:file { getattr lock read write }; allow amanda_t amanda_config_t:file { getattr read }; # access to amandas data structure -allow amanda_t amanda_data_t:dir { read search write }; -allow amanda_t amanda_data_t:file manage_file_perms; +manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) +manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) +filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) # access to amanda_dumpdates_t allow amanda_t amanda_dumpdates_t:file { getattr lock read write }; @@ -146,6 +147,8 @@ fs_getattr_xattr_fs(amanda_t) fs_list_all(amanda_t) storage_raw_read_fixed_disk(amanda_t) +storage_read_tape(amanda_t) +storage_write_tape(amanda_t) # Added for targeted policy term_use_unallocated_ttys(amanda_t) diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te index 626acf4..3ce6be8 100644 --- a/policy/modules/admin/anaconda.te +++ b/policy/modules/admin/anaconda.te @@ -1,5 +1,5 @@ -policy_module(anaconda, 1.3.0) +policy_module(anaconda, 1.3.1) ######################################## # @@ -32,15 +32,9 @@ modutils_domtrans_insmod(anaconda_t) seutil_domtrans_semanage(anaconda_t) -unconfined_domain(anaconda_t) - unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` - dmesg_domtrans(anaconda_t) -') - -optional_policy(` kudzu_domtrans(anaconda_t) ') @@ -58,5 +52,9 @@ optional_policy(` ') optional_policy(` + unconfined_domain(anaconda_t) +') + +optional_policy(` usermanage_domtrans_admin_passwd(anaconda_t) ') diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te index 57c94e8..92c9db8 100644 --- a/policy/modules/admin/kismet.te +++ b/policy/modules/admin/kismet.te @@ -1,5 +1,5 @@ -policy_module(kismet, 1.0.1) +policy_module(kismet, 1.0.2) ######################################## # @@ -25,7 +25,7 @@ logging_log_file(kismet_log_t) # kismet local policy # -allow kismet_t self:capability { net_admin setuid setgid }; +allow kismet_t self:capability { net_admin net_raw setuid setgid }; allow kismet_t self:packet_socket create_socket_perms; manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if index 0f65859..0e3fd06 100644 --- a/policy/modules/admin/netutils.if +++ b/policy/modules/admin/netutils.if @@ -70,6 +70,24 @@ interface(`netutils_exec',` ######################################## ## +## Send generic signals to network utilities. +## +## +## +## Domain allowed access. +## +## +# +interface(`netutils_signal',` + gen_require(` + type netutils_t; + ') + + allow $1 netutils_t:process signal; +') + +######################################## +## ## Execute ping in the ping domain. ## ## diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index d61c1e0..506b222 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,5 +1,5 @@ -policy_module(netutils, 1.6.0) +policy_module(netutils, 1.6.1) ######################################## # diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if index 166724b..2dbc328 100644 --- a/policy/modules/apps/usernetctl.if +++ b/policy/modules/apps/usernetctl.if @@ -63,4 +63,9 @@ interface(`usernetctl_run',` optional_policy(` modutils_run_insmod(usernetctl_t, $2, $3) ') + + + optional_policy(` + ppp_run(usernetctl_t,$2,$3) + ') ') diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te index 4f9a4f6..49cbf29 100644 --- a/policy/modules/apps/usernetctl.te +++ b/policy/modules/apps/usernetctl.te @@ -1,5 +1,5 @@ -policy_module(usernetctl, 1.3.0) +policy_module(usernetctl, 1.3.1) ######################################## # @@ -49,15 +49,21 @@ files_read_usr_files(usernetctl_t) fs_search_auto_mountpoints(usernetctl_t) +auth_use_nsswitch(usernetctl_t) + libs_use_ld_so(usernetctl_t) libs_use_shared_libs(usernetctl_t) +logging_send_syslog_msg(usernetctl_t) + miscfiles_read_localization(usernetctl_t) seutil_read_config(usernetctl_t) sysnet_read_config(usernetctl_t) +term_search_ptys(usernetctl_t) + optional_policy(` hostname_exec(usernetctl_t) ') diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index af07b7a..3a63d3a 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -13,6 +13,7 @@ /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0) /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) @@ -48,6 +49,7 @@ ifdef(`distro_redhat', ` /dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 2b05767..63e7842 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -81,6 +81,26 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',` ######################################## ## +## dontaudit the caller attempts to read from a fixed disk. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`storage_dontaudit_raw_read_fixed_disk',` + gen_require(` + attribute fixed_disk_raw_read; + type fixed_disk_device_t; + ') + + dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms; + dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms; +') + +######################################## +## ## Allow the caller to directly read from a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index 864e111..75524d9 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -1,5 +1,5 @@ -policy_module(storage, 1.6.0) +policy_module(storage, 1.6.1) ######################################## # diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te index b534aca..ff04fb2 100644 --- a/policy/modules/services/fetchmail.te +++ b/policy/modules/services/fetchmail.te @@ -1,5 +1,5 @@ -policy_module(fetchmail, 1.6.0) +policy_module(fetchmail, 1.6.1) ######################################## # @@ -14,7 +14,7 @@ type fetchmail_var_run_t; files_pid_file(fetchmail_var_run_t) type fetchmail_etc_t; -files_type(fetchmail_etc_t) +files_config_file(fetchmail_etc_t) type fetchmail_uidl_cache_t; files_type(fetchmail_uidl_cache_t) diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te index 2c93c85..bf24c47 100644 --- a/policy/modules/services/oav.te +++ b/policy/modules/services/oav.te @@ -1,5 +1,5 @@ -policy_module(oav, 1.6.0) +policy_module(oav, 1.6.1) ######################################## # @@ -12,7 +12,7 @@ application_domain(oav_update_t, oav_update_exec_t) # cjp: may be collapsable to etc_t type oav_update_etc_t; -files_type(oav_update_etc_t) +files_config_file(oav_update_etc_t) type oav_update_var_lib_t; files_type(oav_update_var_lib_t) @@ -22,7 +22,7 @@ type scannerdaemon_exec_t; init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t) type scannerdaemon_etc_t; -files_type(scannerdaemon_etc_t) +files_config_file(scannerdaemon_etc_t) type scannerdaemon_log_t; logging_log_file(scannerdaemon_log_t) diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te index dc94414..3ee2dd7 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -1,5 +1,5 @@ -policy_module(ricci, 1.3.0) +policy_module(ricci, 1.3.1) ######################################## # @@ -443,6 +443,7 @@ kernel_read_system_state(ricci_modstorage_t) create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t) files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file) +corecmd_exec_shell(ricci_modstorage_t) corecmd_exec_bin(ricci_modstorage_t) dev_read_sysfs(ricci_modstorage_t) diff --git a/policy/modules/services/rsync.fc b/policy/modules/services/rsync.fc index 231149a..503812f 100644 --- a/policy/modules/services/rsync.fc +++ b/policy/modules/services/rsync.fc @@ -1,2 +1,6 @@ /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) + +/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0) + +/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_log_t,s0) diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te index 371d6bc..d7547bb 100644 --- a/policy/modules/services/rsync.te +++ b/policy/modules/services/rsync.te @@ -1,5 +1,5 @@ -policy_module(rsync, 1.6.0) +policy_module(rsync, 1.6.1) ######################################## # @@ -31,6 +31,9 @@ role system_r types rsync_t; type rsync_data_t; files_type(rsync_data_t) +type rsync_log_t; +logging_log_file(rsync_log_t) + type rsync_tmp_t; files_tmp_file(rsync_tmp_t) @@ -42,7 +45,7 @@ files_pid_file(rsync_var_run_t) # Local policy # -allow rsync_t self:capability sys_chroot; +allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot }; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; allow rsync_t self:tcp_socket create_stream_socket_perms; @@ -52,7 +55,6 @@ allow rsync_t self:udp_socket connected_socket_perms; # cjp: this should probably only be inetd_child_t rules? # search home and kerberos also. allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow rsync_t self:capability { setuid setgid }; #end for identd allow rsync_t rsync_data_t:dir list_dir_perms; @@ -95,7 +97,8 @@ libs_use_ld_so(rsync_t) libs_use_shared_libs(rsync_t) logging_send_syslog_msg(rsync_t) -logging_dontaudit_search_logs(rsync_t) +manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t) +logging_log_filetrans(rsync_t,rsync_log_t,file) miscfiles_read_localization(rsync_t) miscfiles_read_public_files(rsync_t) @@ -117,7 +120,6 @@ optional_policy(` ') tunable_policy(`rsync_export_all_ro',` - allow rsync_t self:capability dac_override; fs_read_noxattr_fs_files(rsync_t) auth_read_all_files_except_shadow(rsync_t) ') diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if index d137c27..6073656 100644 --- a/policy/modules/services/stunnel.if +++ b/policy/modules/services/stunnel.if @@ -1 +1,25 @@ ## SSL Tunneling Proxy + +######################################## +## +## Define the specified domain as a stunnel inetd service. +## +## +## +## The type associated with the stunnel inetd service process. +## +## +## +## +## The type associated with the process program. +## +## +# +interface(`stunnel_service_domain',` + gen_require(` + type stunnel_t; + ') + + domtrans_pattern(stunnel_t,$2,$1) + allow $1 stunnel_t:tcp_socket rw_socket_perms; +') diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te index 9c281fa..c0a3e97 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te @@ -1,5 +1,5 @@ -policy_module(stunnel, 1.6.0) +policy_module(stunnel, 1.6.1) ######################################## # @@ -20,7 +20,7 @@ ifdef(`distro_gentoo',` ') type stunnel_etc_t; -files_type(stunnel_etc_t) +files_config_file(stunnel_etc_t) type stunnel_tmp_t; files_tmp_file(stunnel_tmp_t) diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te index 8c53f6e..1aaee04 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -1,5 +1,5 @@ -policy_module(hotplug, 1.9.0) +policy_module(hotplug, 1.9.1) ######################################## # @@ -121,6 +121,7 @@ ifdef(`distro_redhat', ` optional_policy(` # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(hotplug_t) + netutils_signal(hotplug_t) fs_rw_tmpfs_chr_files(hotplug_t) ') files_getattr_generic_locks(hotplug_t)